Saml authentication bypass vulnerability

Nextcloud version 25.0.7
Ubuntu 20.04.6
Apache v ersion2.4.41-4ubuntu3.14
PHP version 7.4

Good day! I am using LDAP and SAML apps in my nextcloud instance, and I faced the problem of bypass SAML authentication in browser.

Steps to replicate it:

  1. Open https://<instance_name>/remote.php/dav/files/<user_name>
  2. Enter correct credentials
  3. Delete <user_name> from URL
  4. Step by step delete from url files/ ; dav/ ; remote.php
  5. Cheers, you are logged in without SAML.

In case of my IDP, providing 2fa with SAML auth, such a bypass is a vulnerability.

Does anyone know, how it can be fixed without app password for dav clients?

When you enter correct credentials in browser opening https://<instance_name>/remote.php/dav/files/, there is a page, telling: This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Next cloud desktop sync client. Probably, there is a possibility to convert this message to an error for browsers?

Thank you in advance!

Enter correct credentials

Do you mean enter the app password? I believe this is expected as the app password isn’t scoped in any way except for filesystem access. You could always log in via the app password from https://<instance_name>/index.php/login?direct=1


thanks for your report! Can you please share your SAML configuration (remove any sensitive information) with us?

Thank you!

Just noticed that all versions you’re using are heavily outdated and not supported anymore. Does the same happen on supported versions?
See Maintenance and Release Schedule · nextcloud/server Wiki · GitHub


Do those match against a e.g. local user?

This must be a version thing. Just tested in both lab setup and production. I cannot replicate this.

I could - however - bypass SAML if using an app password. Which is expected.

1 Like

Is it correct? You open https://<instance_name>/remote.php/dav/files/<user_name>, and get redirect to SAML authentication?

I cannot login with browser to WebDav. This is expected. I am presented with a creds pop up. I enters my Creds, and is sent to an “internal server error”. Trying to browse to anything (deleting part of url) I am redirected to login page.

You cannot use SAML with WebDAV. It is not support by the devices using DAV to access filesystems. It only supports username-password.

But I cannot bypass it to gain access to anything.

1 Like

Sounds great, do you have “Enforce two-factor authentication” checkbox enabled?

In addition, I updated stand to 25.0.13, and I still have the same issue. Could you specify your version?

I meant normal password, I am trying to avoid using app passwords although my issue could be got over by forcing usage of app passwords.

I believe that’s because you are using a user that has their backend set to local. It needs to be a user_saml backend

For example for my user I see:

sudo docker exec -it -u 33 nextcloud_app php occ user:info dugite-code

  - user_id: dugite-code
  - display_name: dugite-code
  - email: dugite-code
  - cloud_id: dugite-code@example.tld
  - enabled: true
  - groups:
    - Nextcloud
    - admin
    - authentik Admins
    - nextcloud_admin
  - quota: none
  - storage:
    - free: 40330010624
    - used: 1120800088
    - total: 41450810712
    - relative: 2.7
    - quota: -3
  - last_seen: 2023-11-22T09:23:51+00:00
  - user_directory: /var/www/html/data/dugite-code
  - backend: user_saml

I don’t believe there is an easy way to change existing users and it requires modifying the DB. New users created by the SAML plugin will have the user_saml backend automatically

I use LDAP for backend, so yes, no my users have backend user_saml

To repeat what was written already :slight_smile:

  • Can you please share your user_saml configuration?
  • Do the credentials match a locally existing user/password?

That’s all that i could get with occ config:list user_saml:
“user_saml”: {
“enabled”: “yes”,
“general-require_provisioned_account”: “1”,
“general-use_saml_auth_for_desktop”: “1”,
“installed_version”: “5.2.0”,
“type”: “saml”,
“types”: “authentication”
Do you need something more specific?

And I don’t store credentials locally

Then the login works through LDAP. Set a login filter that never qualifies.

1 Like

This will affect the use of desktop dav clients, won’t it?

What? My suggestion? That should not be the case, provided they authed properly with SAML when setting up the client.